WhatsApp, Messenger may still put user information at risk

Do you know that despite the end-to-end encryption provided by popular messasing platforms like Facebook Messenger, WhatsApp and Viber, your sensitive information is vulnerable to hacking?

A new research has highlighted the importance of what is called an 'authentication ceremony' to help mitigate the risk.

Researchers from Brigham Young University (BYU) at Utah in the US found that most users of popular messaging apps like Facebook Messenger, WhatsApp and Viber are leaving themselves exposed to fraud or hacking because they are unaware of important security options like an 'authentication ceremony'.

The 'authentication ceremony' is a security practice to ensure the members involved in a communication are authentic. It is done by identifying the message recipient before sending out any sensitive or confidential information.

But because most users are unaware of the 'ceremony' and its importance, "it is possible that a malicious third party or man-in-the-middle attacker can eavesdrop on their conversations", said Elham Vaziripour, Computer Science student at BYU who led the study.

The researchers conducted a two-phase experiment in which they prompted participants to share a credit card number with another participant. Participants were warned about potential threats and encouraged to make sure their messages were confidential.

Only 14 per cent of users in the first phase managed to successfully authenticate their recipient. Others opted for ad-hoc security measures like asking their partners for details about a shared experience.

In the second phase, after researchers emphasised the importance of 'authentication ceremonies', 79 per cent of users were able to successfully authenticate the other party.

However, the participants averaged 11 minutes to authenticate their partners.

"Once we told people about the authentication ceremonies, most people could do it. But it was not simple, people were frustrated and it took them too long," noted Daniel Zappala, Professor, Computer Science, BYU.

Most people don't invest the time and effort to understand and use these security measures because they don't experience significant security problems. But there's always a risk in online communications.

The researchers are now working to develop a mechanism that makes the 'authentication ceremony' quick and automatic.

"If we can perform the authentication ceremony behind the scenes for users automatically or effortlessly, we can address these problems without necessitating user education," said Vaziripour.